Graylog extractors for Sophos UTM 9 standard syslog fields
The Sophos UTM remote syslog capabilities use a non-standard message
format. Importing them into Graylog requires the use of a "Raw/plain
text" input (either TCP or UDP will be fine) together with a
extractors parsing the lines into the standard syslog fields.
The extractors in this repository will do the following:
- Extract the fields
process_id (only if present in the line;
e.g. it won't be with kernel messages) and
- modify the
message field not to contain the fields extracted in
As the change in step 2 is destructive, the extractor named
Syslog field "message" must be the last extractor in the list.
- In Graylog, create an input of type
Raw/Plaintext (TCP) or
- After creating the input, click on the corresponding
Manage extractors button.
- In the upper right click on
Actions and select
- Copy & paste the extractors from the
extractors.json file in this repository.
- Optionally use the
Sort extractors button after importing
them. Like stated above, make sure the
Syslog field "message"
extractor is the last one run.
provides extractors for various other fields in the
parts. Their extractors can be used with my extractors at the same
I appreciate bug reports or merge requests. You can also contact me at